Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Port Forward configuration check

$
0
0

Helping with this thread

http://forums.juniper.net/t5/SRX-Services-Gateway/Port-Forward-and-DMZ-Help/td-p/298917

 

I've made this conf on my Juniper SRX210BE:

 

## Last changed: 2016-10-23 15:44:44 CEST
version 12.1X46-D55.3;
system {
    host-name JuniperSRX210;
    time-zone Europe/Rome;
    root-authentication {
        encrypted-password "password";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.5.1;
            }
            pool 192.168.5.1/24 {
                address-range low 192.168.5.180 high 192.168.5.254;
            }
            propagate-settings ge-0/0/0.0;
        }
        dynamic-dns {
            client address.dyndns.com {
                server dyndns;
                agent dyndns;
                username username;
                password "password";
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    at-1/0/0 {
        encapsulation ethernet-over-atm;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode auto;
        }
        unit 0 {
            encapsulation ppp-over-ether-over-atm-llc;
            vci 8.35;
        }
    }
    pp0 {
        traceoptions {
            flag all;
        }
        unit 0 {
            point-to-point;
            ppp-options {
                pap {
                    default-password "text";
                    local-name Ispname;
                    local-password "password";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface at-1/0/0.0;
                client;
            }
            no-keepalives;
            family inet {
                negotiate-address;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop pp0.0;
            metric 0;
        }
    }
}
applications {
    application appl1 {
        protocol tcp;
        destination-port 51413;
    }
    application appl2 {
        protocol tcp;
        destination-port 9101;
    }
    application appl3 {
        protocol tcp;
        destination-port 57532;
    }
}
security {
    alg {
        ftp ftps-extension;
        mgcp disable;
        rsh;
        sccp disable;
        sip {
            disable;
            application-screen {
                unknown-message {
                    permit-nat-applied;
                }
            }
            traceoptions {
                flag all;
            }
        }
    }
    flow {
        tcp-mss {
            all-tcp {
                mss 1350;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool pool1 {
                address 192.168.5.160/32;
            }
            pool pool2 {
                address 192.168.5.160/32;
            }
            pool pool3 {
                address 192.168.5.160/32;
            }
            rule-set nasports {
                from interface vlan.0;
                rule rule1 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 51413;
                    }
                    then {
                        destination-nat {
                            pool {
                                pool1;
                            }
                        }
                    }
                }
                rule rule2 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 9101;
                    }
                    then {
                        destination-nat {
                            pool {
                                pool2;
                            }
                        }
                    }
                }
                rule rule3 {
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 57532;
                    }
                    then {
                        destination-nat {
                            pool {
                                pool3;
                            }
                        }
                    }
                }
            }
        }
    }    
    policies {
        from-zone trust to-zone untrust {
            policy any {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    traceoptions {
        file flowtrace size 10m world-readable;
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

But the three tcp ports, 51413,9101 and 57532 are always closed on local ip 192.168.5.160.

My ISP using dynamic ip.

i'm really appreciate any more help, Thanks


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>